Skip to content

Network Fingerprinting

Network fingerprinting is a security technique used to identify and classify clients based on their unique network characteristics. Instead of relying solely on IP addresses or user agents, which can be easily spoofed, fingerprinting analyzes the subtle details of how a client communicates at the network level. This provides a more reliable way to identify automated tools, specific client software, and even malicious actors.

How it Works

When a client connects to a server, it sends a series of packets with specific configurations. These configurations, such as the list of supported TLS ciphers, HTTP/2 settings, or TCP window sizes, create a unique signature or "fingerprint." Peakhour captures and analyzes these fingerprints to build a profile of the client.

Types of Fingerprints

Peakhour utilizes several types of network fingerprints to provide comprehensive client identification:

TLS Fingerprinting

Analyzes the parameters of the TLS handshake (Client Hello message). This includes:

  • TLS version
  • Supported cipher suites and their order
  • Supported extensions
  • Elliptic curves and point formats

TLS fingerprints are highly effective at identifying specific client libraries (like those used by bots) and even versions of browsers. Peakhour supports standard TLS fingerprinting as well as JA4 for enhanced detection.

HTTP/2 Fingerprinting

Examines the settings and stream data from an HTTP/2 connection. This includes:

  • SETTINGS frame parameters (e.g., SETTINGS_HEADER_TABLE_SIZE)
  • WINDOW_UPDATE frame increments
  • Priority settings

HTTP/2 fingerprints can reliably distinguish between different browsers and automated tools, as they each have unique implementations of the HTTP/2 protocol.

TCP Fingerprinting

Analyzes the parameters of the initial TCP SYN packet, such as:

  • Window size
  • Maximum Segment Size (MSS)
  • TCP options and their order

This provides a low-level fingerprint of the client's operating system and network stack.

HTTP Fingerprinting

Analyzes the structure and order of HTTP headers sent by the client. While less reliable than lower-level fingerprints, it can still provide useful signals for identifying automation.

Use Cases in Security

Network fingerprinting is a powerful tool for enhancing your security posture:

  • Bot Detection: Many bots and malicious tools use standard HTTP libraries (like Python's requests or curl) that have very distinct and consistent fingerprints. This allows you to challenge or block them, even if they rotate IP addresses or use legitimate-looking user agents.
  • Threat Intelligence: Fingerprints associated with known malware or attack tools can be blocked proactively.
  • API Security: Enforce that only your official mobile or web applications can access your API by creating rules that allow only their specific fingerprints.
  • Fraud Prevention: Identify users trying to mask their identity by detecting inconsistencies between their fingerprint and their claimed user agent.
  • Reducing False Positives: Fingerprinting can help distinguish between a legitimate user and a bot coming from the same IP address (e.g., on a corporate network), allowing for more precise security actions.

By integrating network fingerprinting into the rules engine, Peakhour provides a sophisticated, multi-layered approach to client identification and threat mitigation.